In some situations, an application may not divulge any data to you directly, but it may behave in ways that enable you to reliably infer useful information.
We have already encountered many instances of this phenomenon in the course of examining other categories of common vulnerability. For example:
- A registration function that enables you to enumerate registered usernames on the basisof an error message when an existing username is chosen (see Chapter 6).
- A search engine that allows you to infer the contents of indexed documents that you are not authorized to view directly (see Chapter 11).
- A blind SQL injection vulnerability in which you can alter the application's behavior by adding a binary condition to an existing query, enabling you to extract information one bit at a time (see Chapter 9).
- The “padding oracle” attack in .NET, where an attacker can decrypt any string by sending aseries of requests to the server and observing which ones result in an error during decryption(see Chapter 18).
Another way in which subtle differences in an application's behavior may disclose informationoccurs when different operations take different lengths of timeto perform, contingent upon some fact that is of interest to an attacker. This divergence canarise for various reasons:
- Many large and complex applications retrieve data from numerous backend systems, such as databases, message queues, and mainframes. To improve performance, some applications cache information that is ...